如何在 Azure 中创建自定义 RBAC/ABAC 角色？

发布于 2025-01-10 13:53:24 字数 819 浏览 0 评论 0原文

要求是创建具有很少角色的访问包，以便用户可以执行以下活动：

阅读和访问。对存储在给定 Blob 容器（“abc”Blob 容器）中的数据的写访问权限。
访问 Azure 数据工厂以构建管道、流程和数据的角色将数据加载到暂存区域（Blob 容器或 SQL Server）。
DDL 和DML 和执行权限角色访问 SQL Server 环境中的数据/数据库。

我指的是 Azure RBAC 和内置角色但是无法考虑到以上几点，你就有了清晰的想法。

我的问题是，那里有内置角色还是我需要创建自定义角色？并且，如何考虑基线安全性创建自定义角色（针对上述要求）？

有什么方法可以通过引用来编写自定义 JSON 脚本来获得其他操作吗？

My question is, Is the RBAC roles possible for SQL Server in a VM? If yes, how?

此外，如果我同时拥有 SQL Server 的 PaaS 实例和 SQL Server 的 VM 实例（即 VM 中的 SQL Server） - 如何管理这两者的 RBAC 角色？

原文

The requirement is to create access package with few roles so that the users can perform below activities:

Read & write access to data stored in a given blob container ('abc' blob container).
Role to access azure data factory to build pipeline, process & load the data to a staging area (to Blob container or SQL server).
DDL & DML and execute permission role to access the data/database in SQL server environment.

I was referring Azure RBAC and built-in-roles but unable to get clear idea considering the above points.

My question is, is there any build in roles there OR do I need to create the custom role? And, how to create custom role (for above requirements) considering baseline security?

Is there any ways, can I get additional actions by referring which I can write custom JSON scripts?

My question is, Is the RBAC roles possible for SQL Server in a VM? If yes, how?

Additionally, if I have both PaaS instance of SQL Server and VM instance of SQL Server (that is, SQL Server in VM) - how the RBAC roles will be managed for both?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

蓝天 2025-01-17 13:53:24

根据您的要求，如果有帮助，请执行以下解决方法：

阅读并阅读对存储在给定 blob 容器中的数据的写访问权限（'abc'
Blob 容器）。

您可以使用内置角色，例如Storage Blob Data Contributor，它允许读取、写入和删除 Azure 存储容器和 blob 等操作。如果您想了解更多详细信息，请浏览此参考。

访问天蓝色数据工厂以构建管道、流程和数据的角色加载
将数据传输到暂存区域（传输到 Blob 容器或 SQL Server）。

您可以使用内置角色，例如数据工厂贡献者，它允许创建和管理数据工厂以及其中的子资源等操作他们。这些子资源包括管道、数据集、链接服务……通过此角色，您可以构建管道、处理和加载数据。如果您想了解更多详细信息，请浏览此参考。

DDL 和DML 和执行权限角色访问数据/数据库
SQL 服务器环境。

您可以使用内置角色，例如SQL Server Contributor，它允许管理 SQL Server 和数据库等操作。如果您想了解更多详细信息，请浏览此参考。

如果您想为所有这些创建自定义角色，请确保您有 Owner 或 >用户访问订阅的管理员角色。您可以通过 3 种方式创建自定义角色：

克隆角色 – 您可以利用现有角色并通过添加和删除来修改权限根据您的需要。
从头开始 – 在此过程中，您必须手动添加所需的所有权限，方法是从其提供者中选择权限并排除不需要的权限。
从 JSON 开始 – 在这里，您可以上传一个 JSON 文件，您可以通过在 Actions 变量中包含所有需要的权限（而排除权限）来单独创建该文件在 notActions 变量中。如果权限与数据相关，则根据您的需要将其添加到 DataActions 和 notDataActions 中。在可分配范围中，您可以根据需要包含角色可用的范围，即订阅或资源组。

考虑到基线安全，始终建议仅授予读取权限。但是，由于您需要 blob 容器和构建管道的 write 权限，因此您可以只在 Actions 部分中添加那些（读/写），并在 Actions 部分中添加其余所有（删除） >NotActions 部分。

如果您想添加其他操作，只需将这些权限包含在 JSON 文件的Actions 部分中，并确保向资源组授予读取权限即可。

供您参考的示例自定义角色 JSON 文件：

{ 

  "assignableScopes": [ 

    "/" 

  ], 

  "description": "Combining all 3 requirements", 

  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/***************************", 

  "name": "**********************", 

  "permissions": [ 

    { 

   "actions": [ 

        "Microsoft.Authorization/*/read", 

        "Microsoft.Resources/subscriptions/resourceGroups/read", 

        "Microsoft.ResourceHealth/availabilityStatuses/read", 

        "Microsoft.Resources/deployments/*", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/read", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/write", 

        "Microsoft.DataFactory/dataFactories/*", 

        "Microsoft.DataFactory/factories/*", 

        "Microsoft.Sql/locations/*/read", 

        "Microsoft.Sql/servers/*", 

    ], 

  "notActions": [ 

        "Microsoft.Storage/storageAccounts/blobServices/containers/delete", 

        "Microsoft.Sql/servers/azureADOnlyAuthentications/delete", 

        "Microsoft.Sql/servers/azureADOnlyAuthentications/write" 

], 

 "dataActions": [ 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" 

      ], 

      "notDataActions": [] 

    } 

  ], 

  "roleName": "Custom Role Contributor", 

  "roleType": "CustomRole", 

  "type": "Microsoft.Authorization/roleDefinitions" 

}

参考：

Azure 自定义角色 - Azure RBAC |微软文档

According to your requirements, please go through below workarounds if they are helpful:

Read & write access to data stored in a given blob container (‘abc'
blob container).

You can make use of built-in role like Storage Blob Data Contributor which allows operations like read, write and delete Azure Storage containers and blobs. If you want to know more in detail, go through this reference.

Role to access azure data factory to build pipeline, process & load
the data to a staging area (to Blob container or SQL server).

You can make use of built-in role like Data Factory Contributor which allows operations like create and manage data factories, as well as child resources within them. Those child resources include pipelines, datasets, linked services… With this role, you can build pipeline, process and load the data. If you want to know more in detail, go through this reference.

DDL & DML and execute permission role to access the data/database in
SQL server environment.

You can make use of built-in role like SQL Server Contributor which allows operations like manage SQL Servers and Databases. If you want to know more in detail, go through this reference.

If you want to create a custom role for all these, make sure you have Owner or User Access Administrator role on the subscription. You can create a custom role in 3 ways:

Clone a role – You can make use of existing roles and modify the permissions by adding and deleting them according to your need.
Start from scratch – In this, you must add all permissions you need manually by picking them from their providers and excluding the permissions you don’t need.
Start from JSON – Here, you can just upload a JSON file where you can create separately by including all needed permissions in Actions variable whereas excluded permissions in notActions variable. If the permissions are related to data, then add them to DataActions and notDataActions based on your need. In Assignable scope, you can include the scope where the role should be available i.e., subscription or resource group as per need.

Considering baseline security, it is always suggested to give read permissions only. But as you need write permission for blob container and building pipeline, you can just add only those(read/write) in Actions section and remaining all(delete) in NotActions section.

If you want to add additional actions, simply include those permissions in Actions section in JSON file and make sure to give read permissions to resource groups.

A sample custom role JSON file for your reference:

{ 

  "assignableScopes": [ 

    "/" 

  ], 

  "description": "Combining all 3 requirements", 

  "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/***************************", 

  "name": "**********************", 

  "permissions": [ 

    { 

   "actions": [ 

        "Microsoft.Authorization/*/read", 

        "Microsoft.Resources/subscriptions/resourceGroups/read", 

        "Microsoft.ResourceHealth/availabilityStatuses/read", 

        "Microsoft.Resources/deployments/*", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/read", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/write", 

        "Microsoft.DataFactory/dataFactories/*", 

        "Microsoft.DataFactory/factories/*", 

        "Microsoft.Sql/locations/*/read", 

        "Microsoft.Sql/servers/*", 

    ], 

  "notActions": [ 

        "Microsoft.Storage/storageAccounts/blobServices/containers/delete", 

        "Microsoft.Sql/servers/azureADOnlyAuthentications/delete", 

        "Microsoft.Sql/servers/azureADOnlyAuthentications/write" 

], 

 "dataActions": [ 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", 

        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" 

      ], 

      "notDataActions": [] 

    } 

  ], 

  "roleName": "Custom Role Contributor", 

  "roleType": "CustomRole", 

  "type": "Microsoft.Authorization/roleDefinitions" 

}

Reference:

Azure custom roles - Azure RBAC | Microsoft Docs

回复收藏 0 原文

~没有更多了~